Issue metadata
Sign in to add a comment
|
Security: Heap-use-after-free in RuntimeCustomBindings::GetExtensionViews |
||||||||||||||||||||||
Issue descriptionChrome version: 50.0.2661.75 RuntimeCustomBindings::GetExtensionViews retrieves a vector of RenderFrame*s of the current extension, and stores each item in a v8::Array. But the extension can intercept the setter for a numeric index (e.g. 0), destroy the RenderFrame and cause a UAF. Oops. To reproduce, just load the attached extension (manifest.json & background.js). The extension does not need any permissions.
,
May 2 2016
,
May 2 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/aa7a889002dd7a1288cc5e962086e517131fb01e commit aa7a889002dd7a1288cc5e962086e517131fb01e Author: rob <rob@robwu.nl> Date: Mon May 02 16:18:37 2016 Create array of extension views without side effects BUG= 608104 Review-Url: https://codereview.chromium.org/1935953002 Cr-Commit-Position: refs/heads/master@{#390961} [modify] https://crrev.com/aa7a889002dd7a1288cc5e962086e517131fb01e/extensions/renderer/runtime_custom_bindings.cc
,
May 3 2016
,
May 3 2016
Your change meets the bar and is auto-approved for M51 (branch: 2704)
,
May 3 2016
Please merge your change to M51 branch 2704 by 4:00 PM PST today so we can take it for this week beta release tomorrow.Thank you.
,
May 3 2016
,
May 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3d0effb3db93713cafeea3bc81231403b5cba018 commit 3d0effb3db93713cafeea3bc81231403b5cba018 Author: Rob Wu <rob@robwu.nl> Date: Tue May 03 21:23:08 2016 Create array of extension views without side effects BUG= 608104 Review-Url: https://codereview.chromium.org/1935953002 Cr-Commit-Position: refs/heads/master@{#390961} (cherry picked from commit aa7a889002dd7a1288cc5e962086e517131fb01e) Review URL: https://codereview.chromium.org/1948773002 . Cr-Commit-Position: refs/branch-heads/2704@{#362} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/3d0effb3db93713cafeea3bc81231403b5cba018/extensions/renderer/runtime_custom_bindings.cc
,
May 9 2016
,
May 29 2016
,
May 31 2016
,
Jun 6 2016
Updating severity.
,
Jun 6 2016
$1,500 here Rob ($1000 for the report, +$500 for the patch). Cheers as always!
,
Jun 8 2016
,
Aug 9 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Apr 25 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by rob@robwu.nl
, Apr 30 2016Owner: rob@robwu.nl
Status: Started (was: Unconfirmed)